본문 바로가기
CTF

[TFC CTF 2022] ARE YOU THE ADMIN?

by skyepodium 2022. 7. 31.

1. 개요

프록시 서버를 통한 요청 조작 문제

burp suite 정석 문제

 

2. 분석

코드를 보면, 요청으로 들어온 값을 그대로, 유저로 생성합니다.

 

isAdmin값은 default false인데, 중간에 burp suite proxy 서버에서 true로 설정해서 보냅니다.

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "sqlite"
  url      = "file:./app.db"
}

model User {
  id       String  @id @default(uuid())
  username String
  isAdmin  Boolean @default(false)
}
import { NextApiRequest, NextApiResponse } from "next";
import { prisma } from "../../globals/prisma";

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  const body = req.body;
  await prisma.user.create({
    data: body,
  });
  return res.status(200).end();
}
import type { GetServerSideProps, NextPage } from "next";
import type { User } from "@prisma/client";
import { prisma } from "../globals/prisma";
import { useState } from "react";
import { useRouter } from "next/router";

type Props = {
  users: (User &
    (
      | {
          flag: string;
          isAdmin: true;
        }
      | {
          flag?: never;
          isAdmin: false;
        }
    ))[];
};

const Home: NextPage<Props> = ({ users }) => {
  const [username, setUsername] = useState("");

  const router = useRouter();

  const create = async () => {
    await fetch("/api/auth", {
      headers: {
        "Content-Type": "application/json",
      },
      method: "POST",
      body: JSON.stringify({
        username,
      }),
    });
    await router.replace(router.asPath);
  };

  return (
    <div>
      <div>Create user:</div>
      <input
        value={username}
        onChange={(event) => setUsername(event.target.value)}
      />
      <button onClick={create}>Create</button>
      <div>Users:</div>
      {users.map((user) => (
        <div key={user.id}>
          <div>Username: {user.username}</div>
          <div>Is admin? {user.isAdmin ? "yes" : "no"}</div>
          {user.isAdmin && <div>{user.flag}</div>}
        </div>
      ))}
    </div>
  );
};

export default Home;

export const getServerSideProps: GetServerSideProps<Props> = async (
  context
) => {
  const users = (await prisma.user.findMany()) as Props["users"];

  for (const user of users) {
    if (user.isAdmin) {
      user.flag = process.env.FLAG!;
    }
  }

  return {
    props: {
      users,
    },
  };
};


burp suite 프록시 서버에서 isAdmin: true 를 추가해줍니다.

플래그를 얻었습니다.

'CTF' 카테고리의 다른 글

[TFC CTF 2022] DEEPLINKS  (0) 2022.07.31
[TFC CTF 2022] MAFIOSO  (0) 2022.07.31
[TFC CTF 2022] RULES  (0) 2022.07.31
[TFC CTF 2022] SOURCE  (0) 2022.07.31
[TFC CTF 2022] PONG  (0) 2022.07.30

관련글

티스토리툴바